Clientless Sase Architecture with Adaptive Proxy Policies Enforcement Based on Certificate Installation

This is a continuation of U.S. Non-Provisional application Ser. No. 18/769,302, filed Jul. 10, 2024, which is incorporated by reference for all purposes.

This disclosure relates, in general, to internet security and data protection systems and, not by way of limitation, to a global secure architecture for cellular devices, among other things.

The traditional SIM Secure Access Service Edge (SASE) architecture in cellular networks refers to a security framework that integrates network and security functions with WAN capabilities to support the dynamic, secure access requirements of organizations. In this architecture, the security services are delivered at the network edge, closer to the users and devices, which can include IoT and OT devices that rely on cellular networks for connectivity.

The traditional SIM SASE architecture is challenged by its software client dependency, which is at odds with the low-power, application-specific operating systems of many cellular IoT devices. This design is not conducive to the decentralized, scalable, and secure approach entailed for modern enterprise operations, particularly in the context of mobile and IoT device security. These limitations underscore the requirement for a new, more adaptable security framework that can meet the demands of today's mobile networks and the diverse array of devices they support.

In one embodiment, the present disclosure provides a clientless security system to secure cellular devices across a network in a cloud-based environment. The clientless security system includes a tenant with multiple cellular devices, tunnels for transmitting traffic, and a traffic steering module for directing traffic towards a gateway. The clientless security system further includes gateways to apply policies based on a device profile and an alert generator. The traffic steering module provides a SIM with network identifiers, configures the SIM with a custom network identifier, creates a device-to-IP mapping, and distributes the device to IP mapping to gateways in real-time. The gateways apply multiple policies based on a device profile, receive traffic from the traffic steering module, and perform a reverse lookup. The gateways further determine a device identity, apply policies, and forward traffic to a destination. The alert generator is also used to notify the tenant of further remediation in case of policy violations.

In an embodiment, a clientless security system to secure cellular devices across a network in a cloud-based environment. The clientless security system includes a tenant with multiple cellular devices, tunnels for transmitting traffic, and a traffic steering module for directing traffic towards a gateway. The clientless security system further includes gateways to apply policies based on a device profile and an alert generator. The traffic steering module provides a SIM with network identifiers, configures the SIM with a custom network identifier, creates a device-to-IP mapping, and distributes the device to IP mapping to gateways in real-time. The custom network identifier is used for traffic segregation in the cellular network and the custom network identifier is an APN for a 4G network and a DNN for a 5G network. The device-to-IP mapping is created using a universal unique mobile subscriber identity (UUMSI) identifier as primary key. The gateways apply multiple policies based on a device profile, receive traffic from the traffic steering module, and perform a reverse lookup. The gateways further determine a device identity, apply policies, and forward traffic to a destination. The alert generator is also used to notify the tenant of further remediation in case of policy violations. The remediation done by the gateways includes blocking corresponding traffic, quarantining the cellular device, and allowing limited connectivity to the cellular device.

In an embodiment, a clientless security method to secure cellular devices across a network in a cloud-based environment. In one step, the clientless security method includes transmitting traffic of a cellular device and using a traffic steering module for directing traffic towards a gateway. The clientless security method further includes applying policies based on a device profile using gateways. The traffic steering module provides a SIM with network identifiers, configures the SIM with a custom network identifier, creates a device-to-IP mapping, and distributes the device to IP mapping to gateways in real-time. The custom network identifier is used for traffic segregation in the cellular network and the custom network identifier is an APN for a 4G network and a DNN for a 5G network. The device-to-IP mapping is created using a universal unique mobile subscriber identity (UUMSI) identifier as primary key. The gateways apply multiple policies based on a device profile, receive traffic from the traffic steering module, and perform a reverse lookup. The gateways further determine a device identity, apply policies, and forward traffic to a destination. Finally, the clientless security method notifies a tenant of further remediation in case of policy violations. The remediation done by the gateways includes blocking corresponding traffic, quarantining the cellular device, and allowing limited connectivity to the cellular device.

In yet another embodiment, a computer-readable media is discussed having computer-executable instructions embodied thereon that when executed by one or more processors, facilitate a clientless security method to secure cellular devices across a network in a cloud-based environment. In one step, the clientless security method includes transmitting traffic of a cellular device and using a traffic steering module for directing traffic towards a gateway. The clientless security method further includes applying policies based on a device profile using gateways. The traffic steering module provides a SIM with network identifiers, configures the SIM with a custom network identifier, creates a device-to-IP mapping, and distributes the device to IP mapping to gateways in real-time. The custom network identifier is used for traffic segregation in the cellular network and the custom network identifier is an APN for a 4G network and a DNN for a 5G network. The device-to-IP mapping is created using a universal unique mobile subscriber identity (UUMSI) identifier as primary key. The gateways apply multiple policies based on a device profile, receive traffic from the traffic steering module, and perform a reverse lookup. The gateways further determine a device identity, apply policies, and forward traffic to a destination. Finally, the clientless security method notifies a tenant of further remediation in case of policy violations. The remediation done by the gateways includes blocking corresponding traffic, quarantining the cellular device, and allowing limited connectivity to the cellular device.

Further areas of applicability of the present disclosure will become apparent from the detailed description provided hereinafter. It should be understood that the detailed description and specific examples, while indicating various embodiments, are intended for purposes of illustration only and are not intended to necessarily limit the scope of the disclosure.

In the appended figures, similar components and/or features may have the same reference label. Further, various components of the same type may be distinguished by following the reference label by a dash and a second label that distinguishes among the similar components. If only the first reference label is used in the specification, the description is applicable to any one of the similar components having the same first reference label irrespective of the second reference label.

The ensuing description provides preferred exemplary embodiment(s) only, and is not intended to limit the scope, applicability or configuration of the disclosure. Rather, the ensuing description of the preferred exemplary embodiment(s) will provide those skilled in the art with an enabling description for implementing a preferred exemplary embodiment. It is understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope as set forth in the appended claims.

1 FIG. 100 100 100 100 Referring to, a block diagram of an embodiment of a clientless security systemto secure cellular devices across a cellular network in a cloud-based environment is shown. The clientless security systemis targeted toward enterprises, service providers, and solution vendors who are deploying and managing large-scale cellular networks. The clientless security systemprovides a clientless Secure Access Service Edge (SASE) solution that extends enterprise-grade security capabilities to cellular devices while leveraging the existing cellular network infrastructure and Subscriber Identity Module (SIM)/embedded SIM (eSIM)/integrated SIM (iSIM) technologies. By eliminating the requirement for client-side modifications, the clientless security systemenables scalable, efficient, and comprehensive security for a wide range of devices and applications.

100 100 The clientless security systemaddresses the challenge of securing cellular devices and their communications without relying on client-side software or hardware modifications. The clientless security systemworks at a hypervisor (data-link) layer of a cloud open systems interconnection (OSI) model. As the number of devices connected through cellular networks continues to grow exponentially, ensuring the security of these devices and their data becomes increasingly exigent. Traditional security solutions often require the installation of client software or agents on the devices themselves, which can be impractical or infeasible for many use cases due to resource constraints, proprietary operating systems, or the sheer scale of deployment.

100 102 104 106 106 1 106 2 106 3 108 108 1 108 2 108 3 116 116 1 116 2 116 3 116 4 100 110 112 102 106 108 104 The clientless security systemincludes a network, gateway(s), tenant(s)(-,-,-), cellular Device(s)(-,-,-), and tunnel(s)(-,-,-,-). The clientless security systemfurther includes a traffic steering module, and an alert generator. The networkis a cellular network connecting the tenant(s)and transmitting traffic between the cellular devicesand the gateways. From here on, the terms “cellular network” and “network” will be used interchangeably in this application.

108 100 The 4G/5G cellular network provides connectivity and data transmission capabilities for the cellular devices. The clientless security systemuses the existing mechanism provided by the 4G/5G network to enable device authentication as well as secure traffic steering and segmentation using custom Access Point Names (APNs) for the 4G network or custom Data Network Names (DNNs) for the 5G network. Based on the device identity and APN/DNN configuration, the 4G/5G network creates secure pathways for traffic by segmenting the traffic based on device identity and intended destination in the SASE domain.

106 102 108 108 The tenantlinks with multiple cellular devices that access the applications provided on the network. The cellular devicesare portable electronic devices that use cellular network technology to enable wireless communication. The cellular devicesencompass a wide range of gadgets, including smartphones, tablets, and certain types of computers. These devices can transmit data and access the internet. They operate over a network of cells, each served by a base station, allowing for seamless communication even when the user is on the move.

108 100 The cellular devicesconnects to the cellular (4G/5G) network using the SIM which can be a physical SIM, eSIM, or iSIM, which stores the device's network identifiers and security credentials. Global Secure SIM provided by the clientless security systemfor device connectivity is configured with multiple network identifiers i.e. International mobile subscriber identity (IMSIs) which can be managed Over the Air (OTA) so that the device's data connectivity is not tied to any specific mobile network operator (MNO). From now on in this document, “SIM” will be used as a generic term to represent all different forms like physical SIM, eSIM, and iSIM.

108 The cellular deviceswith Global Secure SIM are configured with custom access point name (APN) for LTE and data network name (DNN) for the 5G network to ensure that the cellular device traffic is segregated and routed through the designated security gateways in the SASE domain for inspection and policy enforcement. In this application, the SIM/eSIM/iSIM enabled IoT devices are referred to as “cellular devices” from hereon.

116 100 116 116 108 The tunnelsof the clientless security systemare IPsec protected pathways used to secure network communications. This provides a means to establish encrypted connections across public networks. Traffic incoming from different tenants remains separated in the tunnels. IPsec is a suite of protocols designed to ensure the confidentiality, integrity, and authenticity of data packets as they travel over the internet or other untrusted networks. It operates by encrypting and encapsulating IP packets, effectively creating a tunnel through which data can pass securely. This is particularly useful for virtual private networks (VPNs), where sensitive information has to be protected from potential interception. Furthermore, the tunnelsreceive traffic from the cellular deviceat the cellular network and identifies traffic using network identifiers.

104 104 104 108 104 104 100 The gatewaysin a cellular network serve as the point of interconnection where data is translated and transferred between disparate network protocols. The gatewaysare responsible for tasks such as authentication, routing, and packet optimization, which are cardinal for the operation of 3G, 4G, and 5G networks. The gatewaysensure that the cellular devicescan connect to the core network and that data can flow smoothly and securely from one part of the network to another. The gatewaysalso manage the traffic that enters and exits the network, maintaining the integrity and efficiency of the communication processes within the cellular network infrastructure. The gatewaysof the clientless security systemreceive security policies, device-to-IP mappings, and configuration updates from the SASE management plane and enforce the security policies and access controls defined by the management plane on the device traffic.

104 110 108 104 110 110 104 104 112 106 The gatewaysfurther send real-time telemetry data, logs, and security events to the management plane for analysis and reporting. It also enables dynamic adaptation of security measures based on the instructions received from the SASE management plane and receives and processes incoming traffic from devices steered through the cellular network. The traffic steering moduleis used to route traffic of the cellular devicestowards the gatewayin the cellular network. The traffic steering moduleprovisions the SIM with network identifiers such as APN in the 4G network and DNN in 5G network. The SIM is configured with a custom network identifier or universal unique mobile subscriber identifier (UUMSI) and a “device-to-IP mapping” is created at the cellular network. The traffic steering modulethen distributes the device-to-IP mapping to the gatewaysin real-time and routes the traffic to the gatewaysusing custom network identifiers. Finally, the alert generatornotifies the tenant(s)in the cloud-based environment for further remediation in case of detection of violation of a policy.

2 FIG. 110 100 110 110 110 202 204 206 208 210 202 202 108 202 108 Referring next to, a block diagram of the traffic steering moduleof the clientless security systemis shown. The traffic steering moduleis used to route traffic towards the secured gateways in the cloud-based environment. The components of the traffic steering moduleinteract seamlessly to provide a multi-layered security approach. The traffic steering moduleconsists of a connectivity management platform, a subscription managementblock, an APN/DNN configurationblock, a management plane, and a universal unique mobile subscriber identifier (UUMSI)block. The connectivity management platformhandles the provisioning and lifecycle management of SIM. The connectivity management platformmanages the SIM profiles with pertinent network identifiers (IMSIs) over-the-air (OTA), allowing the cellular deviceswith SIMs to have global connectivity over the 4G/5G network. The connectivity management platformalso configures the SIM profile with a custom APN for 4G networks or custom DNN for 5G networks and ensures the cellular deviceconnects to designated cellular network infrastructure using specified custom APN/DNN to enable traffic segregation and secure routing of device traffic through 4G/5G network to designated SASE Gateway.

202 204 204 204 The connectivity management platformfurther communicates with Subscription managementblock in 4G/5G Packet Core over specific telecom protocol interface (Gx interface) or using REST APIs to request and manage IPv4/IPv6 address assignments for SIM. The subscription managementblock maintains the SIM subscription inventory including their associated SIM/eSIM/iSIM profiles, network identifiers, and provisioning status. The subscription managementblock acts as a policy and configuration management entity with capabilities to configure data usage limits, network access (allow, suspend, restrict), network/location changes, etc. which can be leveraged programmatically to manage a device's connectivity.

202 208 208 206 108 208 208 106 208 The connectivity management platformfurther provides RESTful API interfaces for seamless integration with the management planefor sharing device provisioning data, IP address assignments, and other relevant information, which enables management planeto retrieve device details and create the device-to-IP mappings. The APN/DNN configurationblock assigns custom APNs/DNNs on the SIM/eSIM/iSIM to steer traffic of the cellular devicesto the nearest SSE gateway. The management planeallows for the centralized configuration, monitoring, and enforcement of security policies across a cellular network. This approach simplifies the management of security policies, ensuring that they are consistently applied to all devices, regardless of their location. By leveraging the management plane, the tenant(s)can streamline their security operations, reduce the complexity of managing numerous devices, and respond more swiftly to security threats. The management planeenhances visibility and control over the network, enabling administrators to implement and adjust policies with ease and precision.

208 202 208 100 108 208 108 The management planeretrieves device and subscription details from the connectivity management platformfor creating a UUMSI for individual cellular device based on the retrieved information. The management planeestablishes and maintains a mapping between the UUMSI and the device's assigned IP address using the “device-to-IP mapping”. The UUMSI addresses the limitations of traditional identifiers and provides a secure, scalable, and interoperable solution for device identification and access control in a client-less SASE environment. By leveraging UUMSI, the clientless security systemcan effectively manage and secure the cellular devices, enforce granular security policies, and enhance the overall security posture of cellular deployments. The management planealso helps in defining and managing security policies for the cellular devicesbased on their identity, tenant, and application requirements with device level granularity in real-time to adapt to changing security requirements.

208 104 202 104 208 104 The management planedistributes the “device-to-IP” mapping information to the gatewaysthat are related to the traffic in real-time and coordinates with connectivity management platformfor intelligent traffic steering to route device traffic to highly suitable SASE gateway based on device location, network conditions, and security requirements to influence routing decisions from the 4G/5G network to the gatewayfor in-line security. The management planefurther identifies the gatewayswhich can be leveraged for fail-over scenarios to ensure disruption free service.

210 210 108 The UUMSIblock provides a unique identifier for each cellular device, regardless of the specific type of identifier used by the device (e.g., ICCID for SIM, EID for eSIM, or iSIM ID for iSIM). Unlike traditional identifiers like International mobile subscriber identity (IMSI) or international mobile equipment identity (IMEI), which can be subject to spoofing or cloning, UUMSI is designed to be immutable and tamper resistant. The UUMSIblock derives the unique identifier from device-specific identifiers, making it more secure and reliable for device identification and authentication. UUMSI follows a standardized format, typically consisting of a fixed-length string of digits. This standardization allows for interoperability and compatibility across different cellular networks, platforms, and security systems. UUMSI is used to establish a mapping between the cellular deviceand the corresponding tenant or organization within the SASE domain. This mapping enables granular access control and policy enforcement based on the device's identity and associated tenant. The fixed-length and all-digit format of UUMSI enables efficient storage, indexing, and comparison operations. This facilitates fast and scalable device lookup and policy enforcement, making it suitable for large-scale cellular deployments.

3 FIG. 104 104 104 104 108 104 104 100 208 208 106 104 208 208 Referring next to, a block diagram of the gatewayfor applying policies and analyzing incoming traffic is shown. The gatewaysin a cellular network serve as the point of interconnection where data is translated and transferred between disparate network protocols. The gatewaysare responsible for tasks such as authentication, routing, and packet optimization, which are essential for the operation of 3G, 4G, and 5G networks. The gatewaysensure that the cellular devicescan connect to the core network and that data can flow smoothly and securely from one part of the network to another. The gatewaysalso manage the traffic that enters and exits the network, maintaining the integrity and efficiency of the communication processes within the cellular network infrastructure. The gatewaysof the clientless security systemreceive security policies, device-to-IP mappings, and configuration updates from the management planeand enforce the security policies and access controls defined by the management planeon the device traffic. The policies define inline security functions and access controls based on the tenant(s)and a device identity. The gatewaysfurther sends real-time telemetry data, logs, and security events to the management planefor analysis and reporting. It also enables dynamic adaptation of security measures based on the instructions received from the management planeand receives and processes incoming traffic from devices steered through the cellular network.

104 302 304 306 308 310 312 314 302 208 108 302 304 304 108 312 The gatewayincludes a device-to-IP mapping database, a lookup module, a policy database, a DLP block, a remediation block, a secure web gateway (SWG), and a target set selection (TSS) block. The device-to-IP mapping databasestores the mappings that were created by the management planeto identify the cellular devicein the cellular network. All new mappings are stored, updated, and distributed by the device-to-IP mapping databasein real-time. The lookup moduleacts as an identity management system and performs a reverse lookup using a source IP address to determine the device identity corresponding to traffic. The lookup modulefinds the identity of the cellular devicecorresponding to traffic and sends it to the SWG.

312 312 The operation of the SWGis based on a set of predefined security rules and policies that are applied to web traffic. These policies can be configured to block or allow access to specific uniform resource locators (URLs), limit the transfer of sensitive information, and detect and block advanced threats like zero-day malware. The SWGuses URL filtering, which involves categorizing websites into groups based on their content and reputation, and then applying access controls based on these categories. For example, a company might block access to social media sites during work hours or prevent employees from accessing websites known to host malware.

312 312 100 108 108 108 100 108 In addition to URL filtering, the SWGoften includes data loss prevention (DLP) capabilities to monitor and control data being transmitted to and from the network. This helps in preventing sensitive information from leaving the corporate network unintentionally. Moreover, the SWGperforms SSL decryption, inspecting encrypted traffic for hidden threats and forwarding the traffic to a destination in the cloud-based environment. The clientless security systemprovides security to the cellular devicein both cases; where the cellular devicehas a certificate installed or not for hypertext transfer protocol (HTTP) communication. The certificate is an organization's package installed at the cellular deviceto provide global secure SIM clientless SASE solution. For the cases where there is no way to install HTTPS trusted certificate, the clientless security systemuses a server name identification (SNI) based URL filtering method to keep the cellular devicesafe. SNI based URL filtering can also be performed on the traffic at the firewall that utilizes the SNI filed, which is part of the Transport Layer Security (TLS) handshake process, to determine the hostname of the server that the client is attempting to connect to.

308 306 306 106 308 308 308 106 310 104 202 104 208 202 The DLP blockretrieves policies from the policy database. The policy databasehas a multitude of policies that support varied rules and conditions, which could be based on user identity, device type, application, and content type. The device profile for individual tenant(s) is created by analyzing its policies, traffic patterns, and device types associated with tenant(s). The DLP blockanalyzes the traffic to find any anomaly or violation of a policy. For this purpose, the DLP blockincorporates features of a zero-trust network access (ZTNA) and a cloud access security broker (CASB). The DLP blockapplies policies on the traffic instance based on the device identity. Upon detection of a violation of a policy or multiple policies, an alert is generated to notify the tenant(s)for further remediation. The remediation blockat the gatewaytriggers event-based actions based on the SASE platform provided input to the connectivity management platformfor enforcing real-time security. For example, if the device traffic is identified as malicious by the gateway, the management planewill send a command to the connectivity management platformto suspend/terminate device connectivity.

104 314 312 312 308 314 314 314 Furthermore, for forwarding traffic to a destination in the cloud-based environment, the gatewaywould require the TSS blockalong with the SWGcomponent with URL filtering, SSL decryption, and advanced threat protection features. By leveraging advanced threat intelligence, the SWGand the DLP blockcan identify and block access to known malicious websites, thereby preventing malware infections and other security breaches. It also enforces corporate and regulatory policies by controlling access to unauthorized web content, ensuring that strictly safe and approved communication passes through. In the context of cellular network gateways, the TSS blockis used to optimize data flow across the cellular network. The TSS blockselects the best nodes or targets for data transfer, which can help in managing network traffic and improving overall efficiency. This selection is based on various criteria, such as the type of data, its destination, and the current network conditions. The TSS blockensures that the cellular network can handle large volumes of data effectively, especially in scenarios where data offloading is necessary to prevent congestion and maintain high performance.

4 FIG. 400 400 400 402 404 406 408 410 412 Referring next to, a block diagram of an embodiment of a cloud open systems interconnection (OSI) modelis shown. The cloud OSI modelfor cloud computing environments partitions the flow of data in a communication system into six layers of abstraction. The cloud OSI modelfor cloud computing environments can include, in order: an application layer, a service layer, an image layer, a software-defined data center layer, a hypervisor layer, and an infrastructure layer. The respective layer serves a class of functionality to the layer above it and is served by the layer below it. Classes of functionality can be realized in software by various communication protocols.

412 412 412 The infrastructure layercan include hardware, such as physical devices in a data center, that provides the foundation for the rest of the layers. The infrastructure layercan transmit and receive unstructured raw data between a device and a physical transmission medium. For example, the infrastructure layercan convert the digital bits into electrical, radio, or optical signals.

410 410 The hypervisor layercan perform virtualization, which can permit the physical devices to be divided into virtual machines that can be bin-packed onto physical machines for greater efficiency. The hypervisor layercan provide virtualized computing, storage, and networking. For example, OpenStack® software that is installed on bare metal servers in a data center can provide virtualization cloud capabilities. The OpenStack® software can provide various infrastructure management capabilities to cloud operators and administrators and can utilize the Infrastructure-as-Code concept for deployment and lifecycle management of a cloud data center. In the Infrastructure-as-Code concept, the infrastructure elements are described in definition files. Changes in the files are reflected in the configuration of data center hosts and cloud services.

400 In the traditional OSI model, the data link layer is responsible for node-to-node data transfer and error handling within the same network segment. When considering the cloud OSI model, which adapts the traditional layers to fit cloud computing environments, the equivalent of the data link layer could be seen as part of the hypervisor layer. The hypervisor layer in the cloud OSI modeldeals with virtualization, providing virtual network interface cards (NICs) for virtual machines (VMs) that interact with the data link layer's functions. It manages the virtual switches that handle data traffic between VMs, ensuring that the data link layer protocols are adhered to for accurate communication within the virtualized environment. This layer ensures that the cloud infrastructure maintains the mechanisms pertinent to data transfer and reliability, akin to the data link layer's role in the traditional model. Understanding this correspondence is cardinal for network professionals working with cloud-based technologies.

408 410 408 The software-defined data center layercan provide resource pooling, usage tracking, and governance on top of the hypervisor layer. The software-defined data center layercan enable the creation of virtualization for the Infrastructure-as-Code concept by using representational state transfer (REST) application programming interfaces (APIs). The management of block storage devices can be virtualized, and users can be provided with a self-service API to request and consume those resources which do not entail any knowledge of where the storage is deployed or on what type of device. Various compute nodes can be balanced for storage.

406 406 406 The image layercan use various operating systems and other pre-installed software components. Patch management can be used to identify, acquire, install, and verify patches for products and systems. Patches can be used to rectify security and functionality problems in software. Patches can also be used to add new features to operating systems, including security capabilities. The image layercan focus on computing in place of storage and networking. The instances within the cloud computing environments can be provided at the image layer.

404 404 406 402 402 402 402 404 The service layercan provide middleware, such as functional components that applications use in tiers. In some examples, the middleware components can include databases, load balancers, web servers, message queues, email services, or other notification methods. The middleware components can be defined at the service layeron top of specific images from the image layer. Different cloud computing environment providers can have different middleware components. The application layercan interact with software applications that implement a communicating component. The application layeris the layer that is closest to the user. Functions of the application layercan include identifying communication partners, determining resource availability, and synchronizing communications. Applications within the application layercan include custom code that makes use of middleware defined in the service layer.

400 404 408 404 406 408 408 410 Various features discussed above can be performed at multiple layers of the cloud OSI modelfor cloud computing environments. For example, translating the general policies into specific policies for different cloud computing environments can be performed at the service layerand the software-defined data center layer. Various scripts can be updated across the service layer, the image layer, and the software-defined data center layer. Further, APIs and policies can operate at the software-defined data center layerand the hypervisor layer.

406 408 410 412 402 404 408 402 402 Different cloud computing environments can have different service layers, image layers, software-defined data center layers, hypervisor layers, and infrastructure layers. Further, respective cloud computing environments can have the application layerthat can make calls to the specific policies in the service layerand the software-defined data center layer. The application layercan have noticeably the same format and operation for respective different cloud computing environments. Accordingly, developers for the application layerare not obliged to understand the peculiarities of how respective cloud computing environments operate in the other layers.

5 FIG. 500 500 502 504 506 506 500 508 202 208 514 516 508 512 510 500 108 Referring next to, a sequence diagram of an architecture for clientless SASE solutionis shown. The clientless SASE solutionincludes an IoT devicethat has a device applicationand a SIMinstalled. The SIMcarries the network identifiers. The clientless SASE solutionfurther includes 4G/5G network, the connectivity management platform, the management plane, a SASE gateway, and a global network. The 4G/5G networkhas signal transmittersand packet core. In the clientless SASE solutionall these components interact amongst one another to provide a global SIM secure clientless SASE architecture for the cellular devices.

202 502 508 502 202 510 208 202 208 As a first step, the connectivity management platformprovisions the SIM/eSIM/iSIM with multiple network identifiers (IMSIs) and configured with Custom APN for 4G or custom DNN for 5G. The IoT deviceauthenticates with the 4G/5G networkusing the network identifier in the SIM and is in active state with IPv4/IPv6 address assigned to the IoT device. Next, the connectivity management platformcoordinates with 4G/5G subscription management entity in the packet coreover Gx Interface or using REST API to get/assign static/dynamic IP assignment in subnet range specific to custom APN in 4G network or custom DNN in 5G network. The management planethen retrieves account and subscription details from the connectivity management platformto create “device-to-IP mapping” using a UUMSI identifier as the Primary key. Finally, the management planedistributes “Device-to-IP” mapping to the relevant SASE gateways in real-time.

502 514 514 514 514 208 When the IoT deviceinitiates a data session, the traffic is securely steered through the packet core network using the custom APN in 4G or DNN in 5G. For this purpose, the cellular network identifies the traffic associated with the custom APN or DNN and routes it to the designated SASE gateway using the intelligent traffic steering mechanism. The SASE gatewayreceives the traffic, performs a reverse lookup using the source IP address to determine the corresponding device identity (UUMSI), and applies the appropriate security policies, access controls, and inline security functions (Firewall, ACLs, etc.) based on the device's identity and tenant-specific requirements. If the traffic is deemed secure and compliant, the SASE gatewayforwards it to the intended destination. If any suspicious activity or policy violations are detected, the SASE gatewaytakes appropriate actions, such as blocking the traffic, quarantining the device, or sending alerts. At the end, the SASE gatewaysends real-time telemetry and logs to the management plane, providing a centralized view of the security posture across all connected cellular devices.

6 FIG. 600 600 500 108 500 302 Referring next to, an entity relationship diagramrepresenting a “device-to-IP” mapping at the cellular network is shown. The presented SQL schema and entity relationship diagram(ERD) showcases a novel approach to enable the clientless SASE solutionfor the cellular devices. The clientless SASE solutionleverages the power of a UUMSI as a unique identifier for individual devices, allowing for efficient device-to-IP mapping and granular security policy enforcement. Some aspects of “Device-to-IP Mapping Database” include: UUMSI as a central identifier, flexible device identity management, real-time Device-to-IP mapping, granular security policy definition, and scalable and efficient policy enforcement.

602 600 606 608 604 610 The UUMSI serves as the primary key in a ‘subscriber’ table, acting as a universal identifier for individual cellular devices. This approach simplifies device identification and enables seamless integration with the SASE framework. The entity relationship diagramincorporates separate tables; a ‘subscriber_imsiand a ‘subscriber_imei’to handle multiple IMSIs and IMEIs associated with a single UUMSI. This flexibility accommodates modern SIM scenarios, such as multi-IMSI profiles and device switching. An ‘apn’ tableprovides the identification, type, and name of the APN used and contains a ‘subscriber_apn tablethat provides the IP addresses corresponding to the APN.

612 208 514 618 616 514 A ‘device_ip_mapping’ tablecaptures the real-time mapping between a device's UUMSI and its assigned IP address. This mapping allows the management planeto efficiently distribute the information to the SASE gateways, enabling quick policy enforcement based on the device's IP address. A ‘security_policy tableallows for the definition of fine-grained security policies, including attributes like policy type, action, and priority. These policies can be associated with specific subscribers through a ‘subscriber_policy table, enabling personalized and context-aware security enforcement. By associating security policies directly with the UUMSI, the schema enables the SASE gatewaysto quickly retrieve and enforce the relevant policies for individual devices based on its IP address. This approach ensures scalable and efficient policy enforcement in real-time, even in large-scale cellular deployments.

7 FIG. 700 100 700 108 606 608 Referring next to, an algorithmic representation of a subscriber schemaof the clientless security systemis shown. The subscriber schemaprovided outlines a database structure for a clientless SASE solution for the cellular devices. The ‘subscriber table serves as the foundation, storing unique identifiers and subscription details for individual users. The ‘subscriber_imsi and ‘subscriber_imei tablesandrespectively extend this by mapping individual subscribers to their respective International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI), ensuring secure identification of both the user and their device.

700 700 The ‘apn’ table holds information about the Access Point Name (APN), which is decisive for connecting to different networks, while the ‘subscriber_apn’ table links subscribers to their assigned APNs and IP addresses, facilitating network access and management. The ‘device_ip_mapping’ table tracks the dynamic allocation of IP addresses to devices, recording the time span of individual mapping which is cardinal for maintaining session continuity and security. Lastly, the ‘security_policy’ table defines the security policies in place, detailing their actions and priorities, and the ‘subscriber_policy table associates these policies with individual subscribers, allowing for personalized security measures. The subscriber schemais useful in enabling a SASE solution that provides secure, scalable, and efficient network access for cellular devices. The subscriber schemaensures that individual components of the network access and security process are accounted for, from subscriber and tenant identification to policy enforcement, creating a comprehensive framework for secure connectivity.

700 700 The ‘subscriber table of the subscriber schemaincludes fields like ‘UUMSI, ‘iccid, and ‘eid, which are directly related to the SIM card. The ‘UUMSI’ is a unique identifier that refers to the Universal Unique Mobile Subscriber Identifier. The ‘iccid is the integrated circuit card identifier, a unique serial number of the SIM card itself, while the ‘eid represents the eSIM identifier, which is used in newer devices that do not require a physical SIM card. The presence of both ‘iccid and ‘eid in the subscriber schemasuggests that the system is designed to support both traditional removable SIM cards and eSIMs. This dual support is cardinal for a SASE solution, as it allows flexibility in managing cellular connections for a variety of devices with different SIM technologies. The ‘subscriber_imsi and ‘subscriber_imei tables further emphasize the importance of the SIM card, as they link the subscriber's identity to the IMSI and IMEI, which are quintessential for the network to authenticate the device and grant access.

700 Moreover, the ‘subscriber_apn’ table's inclusion of the ‘apn_ip_address indicates that individual SIM type can be assigned a specific APN for connecting to the service provider's network with the correct settings for internet and other services. This is particularly exigent for SASE solutions, as the APN determines the IP address that the device will use, which in turn can affect the security policies applied to the traffic from that device. The subscriber schemaenables the SASE solution to provide a seamless and secure connection for a wide range of cellular devices, accommodating the evolving landscape of mobile technology.

8 FIG. 800 Referring next to, an algorithmic representationof the UUMSI for cellular security is shown. The Universal Unique Mobile Subscriber Identifier (UUMSI) is a proposed identifier format designed to enhance cellular security within a clientless SASE framework. The UUMSI schema is particularly relevant in the context of cellular networks where traditional security measures may not suffice due to the absence of clients on IoT devices. The UUMSI provides a unique, global, and consistent identifier for mobile subscribers across different device types, such as SIM, eSIM, and iSIM. The ‘createUUMSI function is the core of the UUMSI schema, which generates the UUMSI based on the device type and tenant information. For a SIM card, the international circuit card identifier (ICCID) is retrieved and normalized; for an eSIM, the embedded identifier (EID) is used; and for an iSIM, a unique identifier is obtained. If the device does not match any of these types, the UUMSI is set to null. After acquiring the tenant information, it is also normalized and incorporated into the UUMSI. The UUMSI schema incorporates tenant information into the identifier, which helps in maintaining a secure multi-tenant environment by preventing unauthorized access and ensuring that individual tenant's communications are properly encrypted and routed. This ensures that data and resources are correctly allocated, and that individual tenant's data remains isolated and secure.

The normalization process is carried out by the ‘normalizedUUMSI function, which ensures that each identifier is unique and not easily replicable. The ‘padWithLeadingZeros’ function ensures that the UUMSI has a consistent length, which is obligatory for database storage and processing. The implementation of this function will vary depending on the programming language used, but its purpose remains the same: to standardize the length of the identifier.

The schema's design allows for efficient management of encryption keys in a multi-tenant system, making it a suitable solution for the dynamic and flexible security requirements of modern cellular networks. As an example, the UUMSI schema provides handling of tenant-specific encryption by associating individual UUMSI with the appropriate key stored in a secure key management system. In a multi-tenant environment, where resources and services are shared among various users or entities, it is cardinal to maintain strict separation of individual tenant's data. This is achieved by assigning unique encryption keys to individual tenants, which are then used in conjunction with the UUMSI to provide an additional layer of security. The process begins with the generation of the UUMSI, which is based on device-specific identifiers. Once the UUMSI is created, it can be associated with tenant-specific encryption keys. These keys are used to encrypt and decrypt data transmitted to and from the cellular devices, ensuring that individual tenant's data remains secure and isolated from others.

9 FIG. 900 108 902 108 904 110 116 116 100 116 Referring next to, a clientless security methodfor securing the cellular devicesacross a cellular network in a cloud-based environment is shown. At block, the cellular network receives traffic from the cellular deviceand identifies the traffic associated with custom network identifiers. At block, the traffic steering moduleroutes the traffic to secure gateways using the tunnels. The tunnelsof the clientless security systemare IPsec tunnels that are used to secure network communications. This provides a means to establish encrypted connections across public networks. Traffic incoming from different tenants remains separated in the tunnels.

906 100 110 104 104 908 304 104 304 302 At block, the clientless security systemreceives traffic from the traffic steering moduleat the gateway. The gatewaysare responsible for tasks such as authentication, routing, and packet optimization, which are cardinal for the operation of 3G, 4G, and 5G networks. At block, the lookup moduleat the gatewayperforms a reverse lookup using the source IP addresses. The lookup modulealso takes input from the Device-to-IP mapping databaseto establish a correlation.

910 104 100 912 308 306 308 914 At block, the gatewayof the clientless security systemdetermines the device identity corresponding to a traffic instance in the cellular network. At block, the DLP blockloads policies from the policy databaseand applies them to the traffic instance. The DLP blockthen analyzes the traffic in comparison to the policies and detects any violation of the policy at block.

914 100 112 106 At block, if a policy violation is not detected, the clientless security systemforwards traffic to the destination. Otherwise, if a policy violation is detected, the alert generatorsends an alert to the tenant(s)for further remediation of the violation. The remediation acts include blocking/restarting the subscriber, blocking/restarting the corresponding traffic, providing limited connectivity to the anomalous cellular device or tenant, or quarantining the malicious traffic instance.

10 FIG. 904 100 904 110 100 502 514 1002 202 502 508 502 Referring next to, a traffic steering mechanismfor routing traffic at the clientless security systemis shown. The traffic steering mechanismis carried out by the traffic steering moduleof the clientless security system. When the IoT deviceinitiates a data session, the traffic is securely steered through the packet core network using the custom APN in 4G or DNN in 5G. For this purpose, the cellular network identifies the traffic associated with the custom APN or DNN and routes it to the designated SASE gateway using the intelligent traffic steering mechanism. The SASE gatewayreceives the traffic, performs a reverse lookup using the source IP address to determine the corresponding device identity (UUMSI), and applies the appropriate security policies, access controls, and inline security functions (Firewall, ACLs, etc.) based on the device's identity and tenant-specific requirements. At block, the connectivity management platformprovisions the SIM/eSIM/iSIM with multiple network identifiers (IMSIs) and configured with custom APN for 4G or custom DNN for 5G. The IoT deviceauthenticates with 4G/5G networkusing the network identifier in the SIM and is in an active state with IPv4/IPv6 address assigned to the IoT device.

1004 202 510 1010 208 202 At block, the connectivity management platformcoordinates with 4G/5G subscription management entity in the packet coreover Gx Interface or using REST API to get/assign static/dynamic IP assignment in subnet range specific to custom APN in 4G network or custom DNN in 5G network. At block, the management planeretrieves account and subscription details from the connectivity management platform.

1012 208 1014 208 302 1016 At block, the management planecreates “device-to-IP mapping” using a unique Universal Unique Mobile Subscriber Identity (UUMSI) identifier as the primary key. At bock, the management planedistributes “device-to-IP” mapping to the relevant SASE gateways in real-time. These “device-to-IP mappings” are stored in the device-to-IP mappings database, which takes UUMSI as a central identifier and provides flexible device identity management, real-time Device-to-IP mapping, granular security policy definition, and scalable and efficient policy enforcement. Finally, at block, the traffic steering module 110 routes the traffic to a designated gateway in the cellular network.

11 FIG. 1100 100 108 Referring next to, a flowchart representationof a UUMSI for cellular security is shown. The UUMSI addresses the limitations of traditional identifiers and provides a secure, scalable, and interoperable solution for device identification and access control in a clientless SASE environment. By leveraging UUMSI, the clientless security systemcan effectively manage and secure the cellular devices, enforce granular security policies, and enhance the overall security posture of cellular deployments.

1102 210 108 1104 210 1106 210 1108 210 At block, the UUMSIblock determines the type of the cellular deviceas the UUMSI provides a unique, global, and consistent identifier for mobile subscribers across different device types, such as SIM, eSIM, and iSIM. At block, the UUMSIblock retrieves the international circuit card identifier (ICCID) for a SIM card. At block, the UUMSIblock retrieves the Embedded Identifier (EID) for an eSIM. At block, the UUMSIblock retrieves the unique identifier for an iSIM.

1110 1120 1111 210 106 If the device does not match any of these types at block, the UUMSI is set to null at block. At block, the UUMSIblock gets information of the tenant(s)at the cellular network that uses the device types mentioned above. This ensures that data and resources are correctly allocated, and that individual tenant's data remains isolated and secure.

1112 1116 210 At block, the UUMSI is normalized, which ensures that each individual identifier is unique and not easily replicable. At block, the UUMSIblock checks whether the UUMSI is padded with leading zeros or not. This is done to ensure that the UUMSI has a consistent length, which is obligatory for database storage and processing. The implementation of this function will vary depending on the programming language used, but its purpose remains the same: to standardize the length of the identifier.

1112 1118 1112 210 108 If the UUMSI is not padded with leading zeros at block, it is pushed back to the previous stage. Otherwise, if the UUMSI is padded with leading zeros, then a fixed-length UUMSI is returned at block. At block, the UUMSIblock returns a UUMSI for a device which is then used to provide a global secure clientless solution for the cellular devices.

12 FIG. 100 108 1200 108 100 108 108 100 108 Referring next to, a flowchart of an embodiment of the clientless security systemfor the cellular deviceswith or without a certificate installedis shown. The certificate is an organization's package installed at the cellular deviceto provide global secure SIM clientless SASE solution. The clientless security systemprovides security to the cellular devicein both cases; where the cellular devicehas a certificate installed or not for hypertext transfer protocol (HTTP) communication. For the cases where there is no way to install HTTPS trusted certificate, the clientless security systemcan still do server name identification (SNI) based URL filtering to keep the cellular devicesafe.

1202 304 104 302 1204 312 1204 At block, the lookup moduleat the gatewayloads tenant information from the device-to-IP mapping database. At block, the SWGdecrypts the secure sockets layer (SSL). The SSL decryption at blockallows authorized users or organizations to convert the encrypted data back to its original, readable state. This allows network security professionals to monitor and protect against potential threats, as it enables them to inspect the contents of encrypted traffic.

1206 100 108 108 1208 108 108 At block, the clientless security systemchecks whether a certificate for HTTP communication is installed on the cellular deviceor not. If certificates are not installed at the cellular device, then URL is classified based on SNI at block. Classifying URLs for the cellular devicesbased on Server Name Indication (SNI) is a technique used to identify and filter web traffic without the need for a certificate in HTTP communication. SNI is an extension of the TLS protocol that allows a client to specify the hostname it is trying to reach during the initial connection, which is particularly useful when a single IP address hosts multiple domains. This method is useful for the cellular deviceswhere installing certificates for HTTP communication may not be feasible. However, it's important to note that while SNI can facilitate domain name identification without a certificate, it does not encrypt the communication. For secure HTTPS communication, certificates are still required to prevent man-in-the-middle attacks and ensure data integrity. For cellular networks where resources are constrained, SNI-based URL classification optimizes web filtering and security measures without the overhead of certificate management.

108 312 1210 1212 1214 308 1216 314 1218 1220 310 On the other hand, if the certificates are installed at the cellular device, then the SWGenforces proxy policies at block. The SWG proxy policy enforcement includes classifying URLs at block, Application identification and events filtering at block, data loss prevention (DLP) by the DLP blockat block, and target set selection (TSS) by the TSS blockat block. To enforce policies, the relevant policies are extracted from the policy database and at block, the remediation blockremediates the threat at the cellular network.

1222 312 Finally, at block, the SWGencrypts the SSL at the cellular network. SSL encryption ensures that sensitive information can be transmitted securely, typically between a web server and a browser. When data is sent over an SSL connection, it is encrypted with a digital key, making it unreadable to anyone except the intended recipient who has the correct decryption key. This process is useful for protecting sensitive data such as credit card numbers, login credentials, and personal information.

100 102 The clientless security systemfurther provides security for the firewall side of the network. Both URL based and SNI based filtering, including other mechanisms, is done on the traffic at the firewall. SNI based URL filtering can also be performed on the traffic at the firewall that utilizes the SNI filed, which is part of the TLS handshake process, to determine the hostname of the server that the client is attempting to connect to. Firewalls like FortiGate, Palo Alto Networks, or an organization's personal firewall networks can be configured to inspect the SNI field and make allow or block decisions based on predefined policies.

Specific details are given in the above description to provide a thorough understanding of the embodiments. However, it is understood that the embodiments may be practiced without these specific details. For example, circuits may be shown in block diagrams in order not to obscure the embodiments in unnecessary detail. In other instances, well-known circuits, processes, algorithms, structures, and techniques may be shown without unnecessary detail in order to avoid obscuring the embodiments.

Implementation of the techniques, blocks, steps and means described above may be done in various ways. For example, these techniques, blocks, steps and means may be implemented in hardware, software, or a combination thereof. For a hardware implementation, the processing units may be implemented within one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable gate arrays (FPGAs), processors, controllers, micro-controllers, microprocessors, other electronic units designed to perform the functions described above, and/or a combination thereof.

Also, it is noted that the embodiments may be described as a process that is depicted as a flowchart, a flow diagram, a swim diagram, a data flow diagram, a structure diagram, or a block diagram. Although a depiction may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed but could have additional steps not included in the figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination corresponds to a return of the function to the calling function or the main function.

Furthermore, embodiments may be implemented by hardware, software, scripting languages, firmware, middleware, microcode, hardware description languages, and/or any combination thereof. When implemented in software, firmware, middleware, scripting language, and/or microcode, the program code or code segments to perform the necessary tasks may be stored in a machine-readable medium such as a storage medium. A code segment or machine-executable instruction may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a script, a class, or any combination of instructions, data structures, and/or program statements. A code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, and/or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted via any suitable means including memory sharing, message passing, token passing, network transmission, etc.

For a firmware and/or software implementation, the methodologies may be implemented with modules (e.g., procedures, functions, and so on) that perform the functions described herein. Any machine-readable medium tangibly embodying instructions may be used in implementing the methodologies described herein. For example, software codes may be stored in a memory. Memory may be implemented within the processor or external to the processor. As used herein the term “memory” refers to any type of long term, short term, volatile, nonvolatile, or other storage medium and is not to be limited to any particular type of memory or number of memories, or type of media upon which memory is stored.

Moreover, as disclosed herein, the term “storage medium” may represent one or more memories for storing data, including read-only memory (ROM), random access memory (RAM), magnetic RAM, core memory, magnetic disk storage mediums, optical storage mediums, flash memory devices and/or other machine-readable mediums for storing information. The term “machine-readable medium” includes but is not limited to portable or fixed storage devices, optical storage devices, and/or various other storage mediums capable of storing that contain or carry instruction(s) and/or data.

While the principles of the disclosure have been described above in connection with specific apparatuses and methods, it is to be clearly understood that this description is made only by way of example and not as a limitation on the scope of the disclosure.